Ansible fails to properly sanitize fact variables sent from the Ansible controller · CVE-2016-8628 · GitHub Advisory Database · GitHub

Ansible fails to properly sanitize fact variables sent from the Ansible controller

Critical severity GitHub Reviewed Published Oct 10, 2018 to the GitHub Advisory Database • Updated Aug 23, 2023

Package

ansible (pip)

Affected versions

< 2.2.0

Patched versions

2.2.0

Description

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

References

Published to the GitHub Advisory Database Oct 10, 2018

Reviewed Jun 16, 2020

Last updated Aug 23, 2023

Severity

Critical

9.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H